b'Office of the Inspector General\nSkip to content\nSocial Security Online\nOffice of the Inspector General\nwww.socialsecurity.gov\nHome\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Questions?\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Contact\nUs\nSearch\nAbout\nHotline\nOffices\nResources\nEspa\xc3\xb1ol\nOIG Home\nAudit\nReport - A-13-96-11052\nOffice of Audit\nReview of the Back-up and Recovery Procedures at the National\nComputer Center - A-13-96-11052 - 6/19/97\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY\nBACKGROUND\nSCOPE\nRESULTS OF REVIEW\nBRP\nOnly Addresses Short Term Requirements\nProcessing\nDeath Notices Is Not Considered a Critical Workload\nNo\nClear Policy for FOs to Follow for Walk-In Clients\nCabinets\nContaining Back-up Tapes for OSSF Were Observed Unlocked\nEntrance\nto the Back-up Tape Vault at OSSF Did Not Have a Lock to Prevent\nUnauthorized Access\nRequirements\nin the Contract for Transporting Back-up Tapes Are Not Being\nVerified\nCONCLUSION AND\nRECOMMENDATIONS\nEXECUTIVE SUMMARY\nEach year, the Social Security Administration (SSA) processes\nover 220 million earnings records, pays monthly benefits to about\n45 million individuals, and issues new or replacement Social Security\ncards to over 16 million people. These activities are supported\nby SSA`s automated systems at the National Computer Center\n(NCC) in Baltimore, Maryland. Due to the critical role of the NCC\nin performing these functions, it is essential that SSA provide\nfor continuing operations in the event of a disruption to functions\nperformed at the NCC.\nSSA is required by the Office of Management and Budget (OMB)\nCircular A-130 to have in place a disaster recovery plan for its\nautomated systems. Specifically, OMB Circular A-130, "Security\nof Federal Automated Information Systems" requires that agencies\nmaintain disaster recovery and continuity of operations plans for\nall information technology installations should events occur that\nprevent normal operations at the installation. Plans should be\nfully documented and periodically tested. The objective of this\nreview was to determine if SSA is in compliance with OMB Circular\nA-130 and provisions of the Privacy Act of 1974 which apply to\nsecurity and confidentiality of records used in back-up and recovery\nprocedures.\nSSA has made significant improvements in its back-up and\nrecovery planning since the Office of the Inspector General (OIG)\nlast reported in March 1984. SSA has chosen a recovery strategy\nto process only the critical workloads at a shared commercial back-up\nfacility, a strategy we believe is the most cost-effective for\nSSA. SSA`s Back-up and Recovery Plan (BRP) is documented and\nupdated annually. Once a year, SSA tests its BRP by bringing up\nthe system at a commercial back-up facility. The network is tested\nby having several Program Service Centers (PSC) and field offices\n(FO) submit on-line transactions directly to the back-up facility.\nGenerally, we believe SSA is in compliance with OMB Circular\nA-130 and provisions of the Privacy Act of 1974 relating to the\nsecurity and confidentiality of records used in back-up and recovery\nprocedures. However, some improvements should be made in the BRP\nand other areas. Specifically, with respect to information contained\nin SSA`s January 31, 1996 BRP document, we found that:\nThe BRP only addresses short term (42 days) recovery requirements.\nFor a long-term outage, there has been no planning by senior\nmanagement for setting goals for the level of data processing\nservice to be provided, nor for when SSA becomes fully operational.\nThe level of service to be provided will determine the computer\nhardware requirements. Without the setting of service level goals\nby senior management, adequate planning cannot take place for\nthe acquisition, installation, and operation of computer equipment\nnecessary to meet management`s objectives.\nThe BRP identifies critical workloads SSA would process\nin the event of a disaster. However, the processing of death\nnotices to quickly remove beneficiaries from payment status is\nnot considered a critical workload and is given the lowest priority\nto process. Based on current data provided by SSA, on average\nover 156,000 benefit payments are terminated monthly due to the\ndeath of the beneficiary. Thus, if payments are not terminated,\nSSA would be issuing over $105 million monthly to deceased beneficiaries.\nOnce full data processing services have been restored, SSA would\nthen have to generate recovery notices. The recovery notices\nwould create an enormous follow-up workload for SSA; and in some\ncases, erroneous payments would not be recovered.\nThe goal stated in the BRP is to restore on-line services\nto the FOs within 72 hours of a declared disaster. However, there\nis no policy in the BRP on what information, if any, is to be\nobtained from walk-in clients during the first 72 hours. Not\nhaving a clearly stated policy for the FOs to follow will result\nin confusion and inconsistency in the level of service provided\nto the client.\nWith respect to observations made at the Metro West (MW)\nbuilding, the off-site storage facility (OSSF), and information\ncontained in the contract for transporting the back-up tapes, we\nfound that:\nOn May 1, 1996 one of the two cabinets at the MW building\nfor transporting the back-up tapes to OSSF was unlocked. An unlocked\ntape cabinet permits unauthorized disclosure to the casual or\ncurious observer and, therefore, is not in full compliance with\nthe security and confidentiality provisions in the Privacy Act\nof 1974.\nThe entrance to the back-up tape vault at the OSSF on\nJune 11, 1996 did not have a cipher lock to prevent unauthorized\naccess by the Office of Central Records Operations (OCRO) personnel.\nAbout 25 people from OCRO have unauthorized access to the OSSF\ntape vault. As a result, personal records on the back-up tapes\nare not secured as required by physical safeguard provisions\nin the Privacy Act of 1974.\nCompliance with requirements in the back-up tape transportation\ncontract are not being verified by SSA. For example, during shipping,\nthe temperature and relative humidity in the tape cargo area\nshould be recorded daily by the vendor and should be verified\nmonthly by SSA to the specifications in the contract. We found\nthat the shipping process was exposing the back-up tapes to critical\nenvironmental changes in temperature and relative humidity. Changes,\nespecially in temperature, could have damaged the tapes during\nshipping and caused the data to be unusable.\nTo improve its Back-up and Recovery Planning process, we\nare recommending SSA:\nBegin planning for a long-term outage. The plan should\ninclude a time table for increasing the level of data processing\nservice. It should also have a stated goal of when SSA would\nbe fully operational again after a long-term outage.\nPerform a cost/benefit analysis to determine the feasibility\nof processing death notices as a critical workload.\nEstablish a clear policy for treating walk-in clients\nwhile the "system" is being brought up at the back-up\nfacility.\nReinforce established procedures which call for tape cabinets\nto be locked before leaving the NCC and have supervisors verify\nthat the cabinets are locked.\nSecure the entrance to the OSSF tape vault permitting\naccess to only authorized OCRO personnel.\nVerify contractor`s compliance with requirements in\nthe back-up tape transportation contract.\nBack to top\nBACKGROUND\nOMB Circular A-130 requires that Federal agencies develop\na disaster recovery plan. The objective of the plan should be to\nprovide reasonable continuity of data processing support should\nevents occur that prevent normal operations at the installation.\nThe plan should be fully documented and operationally tested periodically,\nat a frequency commensurate with the risk and magnitude of loss\nor harm that could result from the disruption of data processing\nsupport. In addition, the Privacy Act of 1974 requires each agency\nthat maintains a system of records to "establish appropriate\nadministrative, technical and physical safeguards to ensure the\nsecurity and confidentiality of records and to protect against\nany anticipated threats or hazards to their security or integrity."\nIn the mid 1980\xc2\x92s, SSA became aware of its BRP inadequacy.\nThis awareness was a result of SSA\xc2\x92s reacting to: (1) regulatory\nrequirements, (2) an OIG Contingency Planning report, and (3) changes\nthat were taking place in its processing environment. During the\nlast decade, the Agency made two significant changes. First, SSA\ngreatly increased the use of on-line processing to support its\nfield operations. Second, SSA instituted toll-free telephone communications,\nthe effectiveness of which rests almost entirely on the NCC computers\nand on-line terminals. However, SSA realized that its BRP could\nnot even provide limited on-line support, beginning SSA`s effort\nto redefine its disaster recovery strategy.\nIn 1989, SSA sought advice and guidance from the National\nAcademy of Sciences (NAS) concerning long-range planning for systems\nmodernization. NAS concluded that, "SSA should limit its disaster\nrecovery strategy to a chosen set of critical functions rather\nthan planning to back-up all of its processing functions, because\nfull back-up is impractical." Acting on NAS`s advice,\nSSA, in 1990, began to evaluate normal workloads for determining\nthose which would be considered critical. Based on this evaluation,\nSSA determined it would need approximately 20 percent of the computer\nterminals used in FOs, PSCs, and teleservice centers support the\ncritical workloads.\nNext, SSA evaluated the cost and benefits associated with\nseveral back-up and recovery alternatives. There were 13 alternatives\nevaluated, each of which involved the use of a commercial or a\nGovernment-owned facility. SSA considered two to be the most viable.\nThe first alternative was to acquire a shared commercial service.\nThe second was to modify an existing SSA facility and move a portion\nof the NCC computer resources to provide a back-up capability.\nThe alternative back-up and recovery strategy approved by\nthe Commissioner on June 3, 1991 was to acquire a shared commercial\nservice. Concurrently, the Commissioner approved the designation\nof the critical workloads that would be processed at the back-up\nfacility. On June\xc2\xa029, 1993, SSA contracted with COMDISCO in\nNorth Bergen, New Jersey to provide SSA`s back-up support.\nThe contract has a 1-year base with a 3-year option for a total\ncontract life of 4\xc2\xa0years from June 29, 1993 to June 28, 1997.\nBack to top\nSCOPE\nOur review was performed in accordance with generally accepted\ngovernment auditing standards. Field work was performed at SSA\nheadquarters in Baltimore, Maryland; Metro West building in Baltimore\nCity, Maryland; OSSF in Boyers, Pennsylvania; and at the back-up\nfacility (COMDISCO) in North Bergen, New Jersey between February\n1996 and August 1996. The objective of this review was to determine\nif SSA is in compliance with OMB Circular\xc2\xa0A-130 and the Provisions\nof the Privacy Act of 1974 relating to the security and confidentiality\nof records used in back-up and recovery procedures.\nTo achieve our objective for this review, we:\nreviewed OMB Circular A-130 and the Privacy Act of 1974\nwhich respectively requires SSA to develop a disaster recovery\nplan and to also protect the security and confidentiality of\nrecords;\nreviewed previous studies done by OIG and others in this\narea;\nreviewed SSA`s January 31, 1996 Back-up and Recovery\nPlan document;\nreviewed SSA`s recovery test results documents for\nDecember 1993, August 1994, and January 1996 conducted at the\nback-up facility;\nreviewed SSA`s contract with the back-up facility\nvendor, the lease agreement for OSSF, and the contract for transporting\nthe back-up tapes to OSSF;\ninterviewed SSA personnel responsible for the back-up\nand recovery process;\nperformed an analysis to determine if all the terminals\ndesignated as back-up devices were actually identified using\nthe network software by regional personnel; and\nmade a site visit to the MW building, in Baltimore City,\nMaryland; to OSSF in Boyers, Pennsylvania; and to the back-up\nfacility in North Bergen, New Jersey.\nBack to top\nRESULTS\nOF REVIEW\nGenerally, we found that SSA was in compliance with OMB Circular\nA-130 and the provisions of the Privacy Act of 1974 relating to\nsecurity and confidentiality of records used for back-up and recovery\nprocedures. However, further improvements are needed to strengthen\nSSA`s overall back-up and recovery planning process. BRP only\naddresses SSA`s short term outage (42 days) requirements. SSA\nhas not planned for a long-term outage, nor set goals for the level\nof data processing service they want to provide. This information\nis important for determining the hardware requirements and their\navailability. Also, to minimize erroneous payments and improve\nefficiency, SSA should reconsider processing death notices as a\ncritical workload. Furthermore, we observed the cabinets for transporting\nthe back-up tapes to OSSF were not always locked and a lock has\nnot been installed on the door of the tape vault at OSSF to prevent\nunauthorized access. Finally, SSA has not been verifying the contractor`s\ncompliance with requirements in its tape transportation contract.\nBRP Only\nAddresses Short Term Requirements\nBRP document only addresses a short term solution to SSA`s\nback-up and recovery needs. The short term solution is to process\nonly SSA`s critical workloads at a commercial back-up facility.\nThe critical workloads represent about 20 percent of SSA`s\ntotal workloads and SSA has contracted with COMDISCO, to provide\nthe back-up services. The contract permits SSA to use COMDISCO`s\ncomputer equipment for up to 42 days. After that, COMDISCO would\nprovide a room for up to 180 days with a raised floor, power, and\nother supplies necessary for installing computer equipment supplied\nby SSA. This arrangement is referred to as a "shell site."\nHowever, in the event of a long-term outage, which we have\ndefined as greater than 42 days, we found no evidence of long-term\nplanning by SSA`s senior management for what level of data\nprocessing service they expect to provide and a goal for when SSA\nshould be fully operational again. The expected level of data processing\nservice will drive the computer hardware requirements needed for\nthe "shell site." Without the setting of service level\ngoals by senior management, adequate planning cannot take place\nfor the acquisition, installation, and operation of computer equipment\nnecessary to meet management`s objectives.\nSSA should have a plan for phasing in more service and have\na stated goal for when senior management would like to have data\nprocessing services fully restored. A work group should then be\nestablished to determine if hardware could be acquired, installed\nand made operational in time to meet the service level goal. This\ninformation should be documented in the BRP.\nProcessing\nDeath Notices Is Not Considered A Critical Workload\nBecause there will only be a limited number of terminals\navailable (20 percent of existing terminals) in the event of a\ndisaster, SSA, through its BRP, has identified the critical workloads\nit would process. SSA made a decision to process only those events\nthat are favorable to the beneficiary. Examples of these events\ninclude placing an individual in pay status, changing address information,\nor increasing a benefit amount. However, SSA did not consider the\ncosts and benefits (such as trust fund savings and work load savings)\nof considering death terminations a critical event. As a result,\nthe processing of death notices, which would remove beneficiaries\nfrom payment status, would not be processed. We believe SSA should\nreconsider processing death notices as a critical workload because\nof the negative impact it would have on future SSA workloads and\nrisk of wasting program finances if death notices were not processed\nin a timely manner.\nCurrently, over 156,000 beneficiaries are terminated monthly\nbecause of death. In a disaster situation, if death notices were\nnot processed timely, SSA would be issuing over $105 million monthly\nto ineligible beneficiaries. Once full data processing services\nhave been restored, SSA would then have to generate recovery notices.\nThe recovery notices would create an enormous workload for follow-up\nand in some cases, the erroneous payments would not be recovered.\nIn making another comparison, it is currently costing SSA\n$29,500 a month for the right to use COMDISCO`s computers to\nprocess all of SSA`s critical workloads. The addition of one\nmore workload item, death notices, to the critical workload list\nshould not significantly increase the total cost of the back-up\ncontract. We believe, this additional cost is a modest amount when\ncompared to the potential loss to the trust funds of $105 million\na month, and the additional operating expense SSA would incur for\nprocessing a large recovery workload, if death notices were not\nprocessed timely.\nWhile we generally agree with SSA`s policy for identifying\ncritical workloads, we also believe that SSA should reevaluate\nits decision of not processing death notices as a critical workload.\nA cost/benefit analysis should be performed to determine the feasibility\nof processing death notices as a critical workload. This analysis\nshould weigh the possible additional cost to SSA, if any, against\nthe benefit of preventing uncollectible losses to the trust funds\nand eliminating large recovery workloads.\nNo\nClear Policy For FOs To Follow For Walk-In Clients\nBRP does not contain a clear policy on how the field/district\noffices are to handle walk-in clients while the "system" is\nbeing brought up at the back-up facility. The goal for SSA is to\nbe operational within 72 hours of the Commissioner\xc2\x92s declaring\na disaster. For the first 72\xc2\xa0hours or so, the FOs will not\nbe able to get on-line to help walk-in clients. BRP does not specifically\nstate how the FOs are expected to treat these walk-in clients.\nWith SSA having over 1,300 FOs and not having a stated policy,\nthere may be an inconsistency in the level of service provided\nto walk-in clients during the first 72 hours. Several scenarios\nmay occur. Some FOs may try to take all the information on paper\nnecessary for processing a claim at a later time for when the processing\ncapability is restored. Other FOs may take certain client information\nsuch as name, address, Social Security number, telephone number,\nand reason for visit, then recontact the client when processing\ncapability is restored. Other FOs may not take any information\nand tell the walk-in client to recontact the office in a few days.\nSSA should incorporate within BRP a clear policy on what\ninformation the FOs are to take from walk-in clients while processing\ncapability is being restored at the back-up facility. A clear policy\nwill help eliminate the confusion and inconsistency in the level\nof service provided to the client.\nCabinets\nContaining The Back-Up Tapes For OSSF Were Observed Unlocked\nNCC ships daily to the MW building (OCRO) the back-up tapes\nfrom the previous day`s updates. MW serves as an interim storage\nsite, where twice weekly the tapes are shipped from MW to the permanent\nOSSF located in Boyers, Pennsylvania.\nOn May 1, 1996 we reviewed the tape receiving and handling\nprocedures at the MW building. We found that on several occasions,\nunlocked tape cabinets had been shipped to the MW building from\nOffice of Systems (OS) personnel at NCC. We determined that the\nunlocked cabinets were caused by the failure of OS personnel to\nfollow established procedures and by supervisors not verifying\nprocedures were followed. An unlocked tape cabinet permits unauthorized\ndisclosure to the casual or curious observer. Therefore, SSA is\nnot in full compliance with provisions of the Privacy Act of 1974\nwhich apply to security and confidentiality of records used in\nback-up and recovery procedures. The Privacy Act of 1974 requires\nSSA to "establish appropriate administrative, technical, and\nphysical safeguards to insure the security and confidentiality\nof records and to protect against any anticipated threats or hazards\nto the security or integrity which could result in substantial\nharm, embarrassment, inconvenience, or unfairness to any individual\non whom information is maintained."\nManagement should remind OS personnel of the importance of\nlocking the cabinets before transporting the back-up tapes to OSSF.\nSupervisors at NCC should verify that the cabinets are locked before\ntransporting the back-up tapes.\nEntrance\nTo The Back-Up Tape Vault At OSSF Did Not Have A Lock To Prevent Unauthorized\nAccess\nPhysical security over the back-up tape vault at OSSF is\nnot effectively maintained because the entrance to the back-up\ntape vault does not have a lock to prevent unauthorized access.\nSSA has about 78,500 square feet of storage space at OSSF, including\nabout 6,250 square feet for the back-up tape vault. Currently,\n35 people from OCRO permanently work at OSSF, including 10 people\nwith authorized access to the tape vault room. The remaining OCRO\npersonnel handle requests for information to be retrieved or work\nthe SS-5 process which is a processing request for Social Security\ncards that come directly by mail from district offices.\nThe back-up tapes are delivered by the transportation contractor\nto OSSF late (10:00 p.m. to 12:00 p.m.) on Mondays and Thursdays.\nThe truck stays in the secured OSSF truck coral until the next\nmorning when the back-up tapes are delivered to OCRO`s back\ndoor. Once received, OCRO personnel verify that the shipment of\ntapes has the proper sequence number and the cargo seal has not\nbeen broken. OCRO personnel use a fork lift to remove the tape\ncabinets since the truck does not have a gate lift and OCRO does\nnot have a loading dock. The tape cabinets are placed in a staging\narea inside OCRO`s secured space but outside the tape vault\nroom. The cabinets are unlocked (same key for all cabinets) and\nloaded on to smaller carts of about 50 tapes in order to get through\nthe air lock at the entrance into the tape vault room. The cabinets\nwill not fit through the air lock.\nThe entrance of the air lock did not have a cipher lock to\nprevent unauthorized access by OCRO personnel into the tape vault\narea. The lack of a physical security device permits easy access\nfor the back-up tapes to be stolen or destroyed. If any of the\ntapes were stolen or destroyed and a disaster were declared at\nthe NCC, it could result in a permanent loss of critical beneficiary\ndata to SSA.\nWe were told that only 10 people--the office manager, the\n6 technicians who work in the tape vault, the janitor, and two\nmechanical maintenance people--are allowed in the tape vault. However,\nwe found there was nothing to prevent the other 25 OCRO personnel\nin the immediate area from entering the tape vault. In 1990, major\nimprovements were made in the tape vault room to reduce air dust\nthat could cause tape damage. The OSSF vendor installed a suspended\nmetal ceiling, a vinyl tile floor and an air lock entrance, but\ndid not replace the lock. We believe that it was an oversight that\na cipher lock was not installed on the new air lock entrance.\nSSA should install a lock on the tape vault door at OSSF\nto prevent unauthorized access by OCRO personnel and to comply\nwith the confidentiality provisions of the Privacy Act of 1974.\nRequirements\nIn The Contract For Transporting Back-Up Tapes Are Not Being Verified\nSSA has contracted with National Underground Storage (NUS)\nto transport its back-up tapes from the MW building in Baltimore,\nMaryland to the OSSF in Boyers, Pennsylvania. We found that SSA\nis not verifying all the requirements in the contract with NUS\nand consequently, is not in compliance with provisions of the Privacy\nAct of 1974 which apply to security and confidentiality of records.\nWe categorized the requirements into four task groups:\nIn the task one group, we identified those tasks which require\nNUS to provide physical security over the tapes. Examples of tasks\nwould include: the truck must have a working alarm system, the\ntransport area must have a device to securely hold the carts/boxes\nin place during transportation, and the truck must be telephone\nequipped. Through our observations and interviews, we were satisfied\nthat these requirements were being met.\nIn the task two group, we identified those tasks which require\nNUS to provide environmental security over the tapes. The transportation\ncontract requires NUS to maintain in the cargo area, at all times,\na temperature of 40 - 85 degrees Fahrenheit and humidity of 20\n- 70 percent while transporting SSA`s back-up tapes. To determine\ncompliance with this requirement, we observed one of NUS`s\ntape deliveries to the NCC. The NUS truck did not have a climate\ncontrol unit (air conditioning and heating unit), dedicated to\ncontrolling, monitoring and recording the temperature and humidity\ninside the cargo area. Instead, NUS modified the cab of the truck\nby cutting a 3 and one-half inch hole through the cab back into\nthe cargo box and attached a blower in the cab to push cab air\nback into the cargo area.\nModifying the truck this way does not meet the temperature\nand humidity control requirement in the transportation contract\nfor the following reasons. First, the opening in the cargo area\nis positioned so that, when cargo (a tape cabinet) is pushed up\nagainst it, the opening is blocked and no air is able to circulate\nin the cargo area. For example, the day we observed the truck there\nwas a tape cabinet secured up against the cargo opening and it\nwas impossible for any heat to circulate inside the cargo area\nfrom the cab. We found the cabinets to be ice cold to our touch\nbecause heat had not been circulating in the cargo area. We estimated\nthe temperature in the cargo area to have been between 28 and 32\xc2\xa0degrees\nduring transit from Boyers, Pennsylvania to the NCC. These temperatures\nare well below the minimum contract temperature of 40 degrees and\ncould result in the tapes freezing up.\nSecond, we were informed that the driver must stop in Breezewood,\nPennsylvania to rest for 8\xc2\xa0hours after being on the road for\n10 hours, as required by the U.S. Department of Transportation.\nDuring this 8 hour rest period, the truck engine is turned off;\nconsequently, no air is circulating in the cargo area during this\ntime. The driver arrives at the rest stop around noon and the tape\ncabinets sit in the afternoon sun during the hottest part of the\nday. This is a problem in the summer when temperatures typically\nexceed 90 degrees. Temperature in the cargo area would also be\nexceeding 90 degrees, well over the maximum allowable contract\ntemperature of 85 degrees.\nFinally, NUS is only taking the temperature and humidity\nin the cargo area when the truck is leaving Boyers, Pennsylvania.\nThe contract calls for a specific temperature and humidity range\nto be maintained at all times during transport. In order for NUS\nto meet this requirement, they would have to be continually monitoring\nthe temperature and humidity in the cargo area during transport.\nOur observations found no equipment on the NUS truck to monitor\nthe temperature and humidity during transport. The round trip takes\napproximately 20 hours and the cargo area temperature and humidity\ncould dramatically change in that time period. Based on these facts,\nwe conclude that SSA has no assurance the cargo area has been environmentally\nsafe when transporting SSA`s tapes to OSSF in Boyers, Pennsylvania.\nIn the task three group, we identified those tasks which\nrequire NUS to provide qualified and bonded drivers. The contract\nauthorizes SSA to review driving records for the last 3 years and\nrequires that all drivers be bonded for at least $150,000. Through\ninterviews we found that SSA has never requested to review driving\nrecords or verified that the drivers are bonded for $150,000 each.\nWe were able to verify for ourselves, however, that the drivers\nare currently bonded for $1 million each.\nIn the task four group, we identified the remaining tasks\nnot identified above. These tasks include providing timely pickup\nand delivery of back-up tapes and personnel to ensure safe/secure\nloading and unloading of back-up tapes at SSA loading docks. Through\ninterviews and reviewing time logs, we were satisfied that these\nrequirements were being met.\nVerification of all contract requirements for compliance\nis important to the overall integrity and security of the back-up\ntapes. The back-up tape shipping process exposes critical media\nto environmental changes in temperature and relative humidity.\nChanges, especially in temperature, could damage the tapes causing\nthe data to be unusable in a disaster recovery situation. Also,\nto help ensure that only qualified drivers are transporting SSA`s\nback-up tapes, SSA should be reviewing driving records and verifying\nthat each driver is bonded for the amount stated in the contract.\nBack to top\nCONCLUSION\nAND RECOMMENDATIONS\nSSA has made significant improvements in its back-up and\nrecovery planning since we last reported in March 1984. At that\ntime, back-up and recovery planning at SSA only included batch\nsystems. Today both on-line and batch systems are included in back-up\nand recovery planning. BRP is well-documented and is periodically\nupdated and tested by bringing the "system" up at a commercial\nback-up facility. Generally, we believe SSA is in compliance with\nOMB Circular A-130 and the Privacy Act of 1974 relating to security\nand confidentiality of records used for back-up and recovery procedures.\nHowever, improvements could be made in the back-up and recovery\nplanning process. Specifically, we are recommending that SSA:\n1. Begin planning for a long-term outage. The plan should\ninclude a time table for increasing the level of data processing\nservice and have a stated goal for when SSA would like to be\nfully operational again after a declared disaster. The plan should\nalso include a hardware study to determine if equipment can be\nacquired, installed, and made operational in time to meet the\nservice-level goal of senior management. All this information\nshould be documented in the BRP.\n2. Perform a cost/benefit analysis to determine the feasibility\nof processing death notices as a critical workload and add processing\ndeath notices to the BRP if this cost/benefit analysis demonstrates\ncost worthiness.\n3. Establish a clear policy in the BRP for treating walk-in\nclients while the "system" is being brought up at the\nback-up facility.\n4. Reinforce established procedures which call for tape\ncabinets to be locked before leaving NCC and have supervisors\nverify that the cabinets are locked.\n5. Secure the entrance to the tape vault permitting access\nto only authorized OCRO personnel.\n6. Ensure the contractor comply immediately with the environmental\nrequirements in the contract. Also, verify on an ongoing basis,\nthe contractor`s compliance with all the requirements in\nthe back-up tape transportation contract.\nPrivacy Policy | Website\nPolicies & Other Important Information\xc2\xa0| Site\nMap\nNeed Larger Text?\nLast reviewed or modified'